Commit Graph

1860 Commits

Author SHA1 Message Date
Willem Toorop 7f4bdc0868 Bumb versions 2015-11-04 23:25:38 +01:00
Willem Toorop eb4ba438f7 return_validation_chain + roadblock_avoidance bug 2015-11-05 07:11:51 +09:00
Willem Toorop 8a6f7d5b90 Merge branch 'develop' into features/dnssec_roadblock_avoidance 2015-11-04 17:49:21 +09:00
Willem Toorop 0c3eb08f4d Merge branch 'features/call_debug' into develop 2015-11-04 16:23:22 +09:00
Willem Toorop 3a19050413 Code review changes
Commented inline on github
2015-11-04 16:18:22 +09:00
wtoorop 7230031c0a Merge pull request #119 from dkg/ietf94-privacy-hackathon
Thank you dkg!  Great work!

Interestingly you've put the configuration of those two features at "context" level.  Since both options (just like cookies) relate to upstreams, I think they should be configurable per upstream as well  (perhaps using the context settings as the defaults, over-loadable by those upstream options).  With my cookie implementation, I've implemented activation with an extension, but cookies also relate to upstreams, so perhaps they should be enableable per upstream as well (and have a global over-loadable setting in context).

Cheers,
-- Willem
2015-11-02 16:26:25 +09:00
Gowri 1bccd56244 Name change on test server certificate 2015-11-02 03:05:17 +01:00
Daniel Kahn Gillmor c322a8a330 add -P flag to getdns_query for EDNS padding policy 2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor 83bf5ab08b actually implement tls_query_padding_blocksize
since no DNS OPT value has been allocated, i chose a random value in
the experimental/local range.
2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor 1457c1a2b5 stash tls_query_padding_blocksize in the dns_req from the context 2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor b3128652f4 add tls_query_padding_blocksize property for getdns_context
This is a parameter to the getdns_context that tells the context how
much to pad queries that go out over TLS.

It is not yet functional in this commit, but the idea is to pad each
outbound query over TLS to a multiple of the requested blocksize.

Because we only have a set amount of pre-allocated space for dynamic
options (MAXIMUM_UPSTREAM_OPTION_SPACE), we limit the maximum
padding blocksize.

This is a simplistic padding policy.  Suggestions for improved padding
policies are welcome!
2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor 8291cdb455 add -c flag for EDNS Client Subnet privacy to getdns_query 2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor 05585281eb add test for context update callback for edns_client_subnet_private 2015-11-01 15:49:56 +09:00
Daniel Kahn Gillmor df3725e635 added edns_client_subnet_private to getdns_context
https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-04

Using the above spec, an intermediate resolver may forward a chunk of
the client's IP address to the authoritative resolver.

Setting edns_client_subnet_private to a getdns_context in stub mode
will indicate to the next-hop recursive resolver that the client
wishes to keep their address information private.
2015-11-01 15:49:50 +09:00
Willem Toorop b062974fb1 ub_setup_recursion also for non roadblock avoidance 2015-11-01 15:48:31 +09:00
Daniel Kahn Gillmor 0b388872ea clarify per-query options vs. per-upstream options
Sending DNS cookies was overwriting any existing options (DNS OPT) in
the outbound query.

Also, DNS cookies may not be the only option that gets set
per-upstream (instead of per-query).

This changeset establishes a set of per-query options (established at
the time of the query), and a buffer of additional space for adding
options based on the upstream is in use.

The size of this buffer is defined at configure time (defaults to 3000
octets).

Just before a query is sent out, we add the per-upstream options to
the query.

Note: we're also standardizing the query in tls too, even though we're
not sending any upstream options in that case at the moment
(edns_cookies are much weaker than TLS itself)
2015-11-01 15:47:22 +09:00
Daniel Kahn Gillmor 3e90795680 enable talking to servers with ECDSA certs
There is no clear reason to reject servers that don't have RSA certs.
We should accept ECDSA certs as well.

(also, clean up comments about opportunistic TLS)
2015-11-01 15:47:03 +09:00
Willem Toorop af6947cbb3 Merge branch 'develop' into features/dnssec_roadblock_avoidance 2015-11-01 15:34:21 +09:00
Willem Toorop 8b9041325b Bugfix don't grow upstreams memory
upstreams have internal references and cannot be realloc'ed easily
2015-11-01 15:23:26 +09:00
jad 30043d2ba5 corrected name 2015-11-01 13:09:18 +09:00
jad 51eb2fdf55 working prototype 6 2015-11-01 12:47:49 +09:00
Willem Toorop ae2cc39a36 Full roadblock avoidance functionality 2015-11-01 12:28:43 +09:00
jad f5662bbf32 working prototype 5 2015-11-01 11:43:12 +09:00
jad 2d20e18b8a working prototype 4 2015-11-01 11:14:45 +09:00
jad 25f7f2182b working prototype 3 2015-11-01 11:04:03 +09:00
jad 80864655d7 Working prototype 2 2015-11-01 10:51:00 +09:00
jad a85b17c885 working prototype 1 2015-11-01 10:24:02 +09:00
Willem Toorop 58885e04d7 dnssec_roadblock_avoidance extension 2015-10-31 21:04:08 +09:00
Willem Toorop 35c803208b Bit more concise and clear confusing code text 2015-10-31 18:24:24 +09:00
Willem Toorop fb6642d6a5 Print response dict when there is one 2015-10-31 17:59:14 +09:00
Willem Toorop 521e46879b Document that thing that we keep forgetting about 2015-10-31 17:15:36 +09:00
Willem Toorop 9ce441e59a --enable-debug-sched for getdns_query too 2015-10-31 16:24:49 +09:00
Willem Toorop de59b700ce Fix libidn really absent + NetBSD fixes 2015-10-29 19:13:39 +01:00
Willem Toorop 0a717f5d51 Warning with older (less intelligent) compiles 2015-10-29 16:25:07 +01:00
Willem Toorop d691973571 Bumb versions for 0.5.0 release 2015-10-29 15:43:00 +01:00
Willem Toorop 8c3d348f05 Help text typo 2015-10-27 16:43:25 +01:00
Willem Toorop 3c5f2d4c4d Merge branch 'v0.5.0' of github.com:getdnsapi/getdns into v0.5.0 2015-10-27 16:39:09 +01:00
wtoorop a8351f80e6 Merge pull request #117 from saradickinson/bugfix/tls_ciphers
Fix error that was not allowing cipher suite fallback for opportunist…
2015-10-27 16:38:25 +01:00
Sara Dickinson e397d1e020 Fix error that was not allowing cipher suite fallback for opportunistic TLS. 2015-10-25 15:28:20 +00:00
Willem Toorop 4cbdfde0e6 Typo fix 2015-10-22 16:26:32 +02:00
Willem Toorop c613743644 Update spec to 0.701 2015-10-22 15:12:15 +02:00
Willem Toorop 973fcbddcc Don't assume mini_event loop 2015-10-22 14:38:34 +02:00
Willem Toorop 47b77c948a Fix small memory leak when switching event loops 2015-10-22 14:16:53 +02:00
Willem Toorop 98a2c497d2 ldns CFLAGS for tests (+ make deps) 2015-10-22 13:46:23 +02:00
Willem Toorop fbc3b2d6a8 Use the NOT_IMPLEMENTED return code! 2015-10-22 12:13:40 +02:00
Willem Toorop b88c74b4c8 Synchronize with October 2015 spec 2015-10-22 12:02:04 +02:00
Willem Toorop 276b4c6cd8 Update dependencies and add Andrew Cathrow to team 2015-10-22 11:32:20 +02:00
Willem Toorop d601443c7e Bump versions and ChangeLog for 0.5.0rc1 2015-10-21 17:19:50 +02:00
Willem Toorop 31a07752f0 New non API functions + consts in getdns_extra.h 2015-10-21 17:02:50 +02:00
Willem Toorop ebd94f48cf Anticipate missing X509_V_ERR_HOSTNAME_MISMATCH 2015-10-21 16:01:40 +02:00